PAN-SA-2025-0005: GlobalProtect Clientless VPN: Clientless VPN Misconfiguration Allows Cross-Site Attacks (Severity: NONE)
First published: Wed Feb 12 2025(Updated: )
Palo Alto Networks GlobalProtect Clientless VPN is intended to provide secure remote access to trusted internal applications. It is not meant to provide access to the Internet, intranet or multiple websites. When the Clientless VPN is misconfigured to allow access to the Internet or any internal website, it allows malicious scripts on one site to obtain sensitive information or modify content of any application accessible through the VPN including Clientless VPN itself. For further details about the risks of Clientless VPNs please refer to https://www.kb.cert.org/vuls/id/261869
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Palo Alto Networks Cloud NGFW | ||
| Palo Alto PAN-OS | ||
| Palo Alto Networks Prisma Access |
Remedy
The Clientless VPN feature only ensures secure remote access to a single trusted application. Ensure that the Clientless VPN access is limited by Security Policies to a single trusted site. Refer to the Configure Clientless VPN page for additional details. For accessing multiple applications, since the Same-Origin Policy is not enforced, we strongly recommend configuring access to only trusted pages through Clientless VPN. Clientless VPN should never be used to allow access to the internet or intranet. If you need to secure access to untrusted websites, please consider the following alternatives: * GlobalProtect App (https://docs.paloaltonetworks.com/globalprotect) * Supported Third Party VPN Client (https://docs.paloaltonetworks.com/compatibility-matrix/reference/globalprotect/what-x-auth-ipsec-clients-are-supported) * Prisma Access Browser (https://docs.paloaltonetworks.com/prisma-access-browser) * Web Proxy (https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy) (Note: Web Proxy can only be used to improve web browsing safety. It cannot be used as a VPN.)
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of PAN-SA-2025-0005?
The severity of PAN-SA-2025-0005 is considered high due to the potential for unauthorized access to the Internet.
How do I fix PAN-SA-2025-0005?
To fix PAN-SA-2025-0005, ensure that the GlobalProtect Clientless VPN is properly configured to limit access only to trusted internal applications.
What products are affected by PAN-SA-2025-0005?
PAN-SA-2025-0005 affects Palo Alto Networks Cloud NGFW, PAN-OS, and Prisma Access.
What vulnerability does PAN-SA-2025-0005 address?
PAN-SA-2025-0005 addresses a misconfiguration issue that may allow unauthorized Internet access through the Clientless VPN.
Is there a workaround for PAN-SA-2025-0005?
A workaround for PAN-SA-2025-0005 is to restrict access to the Clientless VPN settings to prevent Internet access.
- agent/source
- agent/last-modified-date
- agent/references
- agent/first-publish-date
- agent/type
- agent/severity
- agent/remedy
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- collector/paloaltonetworks-latest
- source/Palo Alto Networks
- agent/title
- collector/paloaltonetworks-api
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/palo alto networks
- canonical/palo alto networks cloud ngfw
- canonical/palo alto pan-os
- canonical/palo alto networks prisma access